Google Switches On HSTS

Google has switched on HTTP Strict Transport Security (HSTS) for its google.com domain, in a bid to improve security on the web by forcing users who visit the site to do so via HTTPS.

If a webmaster switches on HSTS it will prevent users visiting their site to use HTTP, as long as the more secure protocol is available.

The move will also affect sites that use the google.com domain including YouTube, Maps, Play Store, Gmail and many more.

HTTPS encrypts data in transit between the user and the website, thus guarding against man-in-the-middle and other eavesdropping attacks. HSTS should also counter SSL Strip attacks which attempt to downgrade the connection from HTTPS to HTTP.

Google senior technical program manager, Jay Brown, explained that the web giant had to overcome some specific challenges during the transition – most notably in breaking the firm’s Santa Tracker last Christmas.

“Ordinarily, implementing HSTS is a relatively basic process. However, due to Google's particular complexities, we needed to do some extra prep work that most other domains wouldn't have needed to do,” he explained.

“For example, we had to address mixed content, bad HREFs, redirects to HTTP, and other issues like updating legacy services which could cause problems for users as they try to access our core domain.”

The work is not over for Google, however, with the firm hoping to eventually have 100% encryption across all of its products and services. Currently around 80% of requests to its servers use encrypted connections.

When it comes to the HSTS push, there’s also the issue of increasing the duration the header is active – or “max-age.”

“We've initially set the header’s max-age to one day; the short duration helps mitigate the risk of any potential problems with this roll-out,” explained Brown.

“By increasing the max-age, however, we reduce the likelihood that an initial request to www.google.com happens over HTTP. Over the next few months, we will ramp up the max-age of the header to at least one year.”

Google’s efforts are being replicated all over the industry, with the HTTPS Everywhere initiative from the EFF and Tor Project hoping to coral more industry players into migrating over to the protocol as standard.

What’s Hot on Infosecurity Magazine?